package auth

import (
	"fmt"
	"net/http"
	"os"

	"github.com/gorilla/sessions"
	"github.com/markbates/goth"
	"github.com/markbates/goth/gothic"
	"github.com/markbates/goth/providers/github"
)

// SetupProviders initializes OAuth providers
func SetupProviders() error {
	githubClientID := os.Getenv("GITHUB_CLIENT_ID")
	githubClientSecret := os.Getenv("GITHUB_CLIENT_SECRET")
	githubCallbackURL := os.Getenv("GITHUB_REDIRECT_URL")
	sessionSecret := os.Getenv("SESSION_SECRET")

	if githubClientID == "" || githubClientSecret == "" {
		return fmt.Errorf("GitHub OAuth credentials not configured")
	}

	if sessionSecret == "" {
		return fmt.Errorf("SESSION_SECRET not configured")
	}

	if len(sessionSecret) < 32 {
		return fmt.Errorf("SESSION_SECRET must be at least 32 characters")
	}

	if githubCallbackURL == "" {
		githubCallbackURL = "http://localhost:8080/api/auth/github/callback"
	}

	// Initialize gothic's session store (required by gothic.BeginAuthHandler)
	key := []byte(sessionSecret)
	maxAge := 86400 // 24 hours
	isProd := os.Getenv("SESSION_SECURE") == "true"

	store := sessions.NewCookieStore(key)
	store.MaxAge(maxAge)
	store.Options = &sessions.Options{
		Path:     "/",
		HttpOnly: true,
		Secure:   isProd,
		SameSite: http.SameSiteLaxMode, // Important for OAuth redirects
		MaxAge:   maxAge,
	}

	gothic.Store = store

	// Initialize GitHub provider
	goth.UseProviders(
		github.New(
			githubClientID,
			githubClientSecret,
			githubCallbackURL,
			"user", "repo", // OAuth scopes
		),
	)

	return nil
}